[Freeipa-users] default nisdomain appears to be derived from hostname of first master rather than set to domain or realm. Bug ?

[Alexander Bokovoy]

On la, 18 maalis 2017, Bob Hinton wrote:
>Hi,
>
>The first IPA master we built was ipa001.local.lan. We have since
>created a number of subdomains of local.lan and have created a number of
>replicas. The current configuration has two clusters of IPA replicas -
>ipa001.mgmt.prod.local.lan to ipa003.mgmt.prod.local.lan and
>ipa001.mgmt.paas.local.lan to ipa003.mgmt.paas.local.lan
>
>We've recently commenced migrating some of the existing systems to a new
>environment and for various reasons have started with a fresh master -
>ipa001.mgmt.prod.local.lan.
>
>Quite a lot of sudo rules don't work in the new environment. As far as I
>can tell this is because the shadow netgroups have a nisdomain of
>mgmt.prod.local.lan instead of local.lan.
>
>I would have thought that the nisdomain should be set to either the
>domain or realm i.e. local.lan rather than seemingly taken from the
>network portion of the first master mgmt.prod.local.lan. Is this correct ?
>
>Is there a way to change the default nisdomain ? Rebuilding all the new
>IPA masters and migrating all the data again would be a lot of work.
The code that handles 'ipa netgroup-add' defaults to IPA domain as
default NIS domain name. You can change that by explicitly adding
'--nisdomain=specific.nis.domain' to 'ipa netgroup-add'. You can change
it for existing netgroups by specifying --nisdomain option to 'ipa
netgroup-mod'.

-- 
/ Alexander Bokovoy